Compliance. TODAY August Creative passion, collaboration, and soft skills in Compliance

Size: px

Start display at page:

Download "Compliance. TODAY August Creative passion, collaboration, and soft skills in Compliance"

Christian Parker
5 years ago
Views:

Compliance TODAY August 2016 A PUBLICATION OF THE HEALTH CARE COMPLIANCE ASSOCIATION WWW.HCCA-INFO.ORG Creative passion, collaboration, and soft skills in Compliance an interview with Walter E.

1 Compliance TODAY August 2016 A PUBLICATION OF THE HEALTH CARE COMPLIANCE ASSOCIATION Creative passion, collaboration, and soft skills in Compliance an interview with Walter E. Johnson Director of Compliance and Ethics Kforce Government Solutions, Inc. See page When employees cry foul: OSHA s investigation of whistleblower claims Jim Vines and Stephen McCullers 32 Are you faxing your way to a HIPAA violation? Rick Brinegar 37 A legal perspective on external peer review Theresamarie Mantese and Jordan B. Segal 44 Navigating the choppy waters of medical director contracts Cameron Duncan This article, published in Compliance Today, appears here with permission from the Health Care Compliance Association. Call HCCA at with reprint requests.

2 by Jennifer Mitchell, JD, CIPP/US and Lauren Rosen, MPA, CPC Identifying and managing HIPAA risks in mobile health» Mobile health, or mhealth, is a rising use of consumer electronic technology within the healthcare industry that fosters greater transparency and convenience in healthcare delivery.» Mobile application developers, as well as organizations that use mhealth technologies, must determine whether their activities are governed by HIPAA, and if so, must determine if their organization is HIPAA-compliant.» An mhealth company may be appropriately classified as a business associate to a covered entity depending on the identity of the end user, the type of relationship between the entities, and what information is shared.» OCR guidance confirms that mobile app developers are not covered entities under HIPAA, although they may be considered a business associate if they work directly for a health plan, clearing house, or provider.» Cybersecurity is the foundation for protection of personal data in an mhealth application. Jennifer Mitchell (jennifer.mitchell@navigant.com) is a Director with Navigant Consulting, Inc. in Los Angeles. Lauren Rosen (lauren.rosen@navigant.com) is a Senior Consultant with Navigant Consulting, Inc. in New York City. bit.ly/jennifer-mitchell Advancements in technology and improved access to health information have changed the landscape of our healthcare system over the past decade, and there can be little doubt that this trend will only accelerate in the years ahead. As a result, it is more important than ever that those who design or use newly available health technologies stay ahead of the possible privacy and data security risks associated with these advancements. The move toward consumer driven healthcare, the ease of sharing and exchanging health information, and the passing of the Affordable Care Act (ACA) have encouraged the creation of novel platforms in which healthcare is structured and available directly to patients, healthcare providers, and family members. The concept of accountable healthcare fundamentally links healthcare and wellness initiatives to positive outcomes. Indeed, even before the inception of the ACA, the Centers for Medicare & Medicaid Services (CMS) implemented the Meaningful Use program via the American Recovery and Reinvestment Act (ARRA) of This program incentivizes hospitals and physicians to adopt and use electronic health records (EHR) in meaningful ways. In addition, the program also encourages patient engagement and allows patients to be more involved in their care, including an understanding of their own health outcomes via patient portals. Mitchell What is mobile health? Rosen Mobile health, or mhealth, is a rising use of consumer electronic technology within the healthcare industry that fosters greater transparency and convenience in healthcare delivery. It enables both the patient and the provider to access mobile tools at any time, as well as providing continual care management across various devices and platforms. One of the biggest challenges mhealth faces is Compliance Today August

3 Compliance Today August 2016 how to protect privacy and secure the sensitive patient information exchanged. Although the accessibility of healthcare data creates enhanced pathways for providers and patients to communicate and potentially make more informed decisions about clinical intervention, the ease in which data is accessed is also its biggest threat. Mobile health may include a variety of mobile communication devices, such as smartphones and tablet computers, that support the practice of medicine, health, and wellness. The growing list of examples of mhealth includes: Patient monitoring devices Mobile telemedicine/telecare devices Medicine adherence monitoring Activity monitoring Smart wearables/smartphone applications (e.g., Jawbone/Fitbit) Emergency response systems Health-related mlearning or the general public, and Support for long-term or chronic conditions According to the 2014 Mobile Devices Study by the Health Information Management Systems Society (HIMSS), 500 million global smartphone users would be using a healthcare application by Almost 83% of the physicians who participated in the survey reported that they had downloaded at least one medical app. Another 33% of physicians and 75% of nurses reported that they used medical apps on smartphones daily as part of their work. About a third (35%) of the responding hospitals reported that they offered medical apps to patients in the form of patient portals, As the landscape of healthcare changed, the HIPAA rules adapted to the growing amount of information healthcare organizations collected and managed. telehealth services, and various forms of remote monitoring. 1 As the mhealth sector grows, however, the risks associated with the storage and/or transfer of sensitive health information across multiple platforms are also on the rise. Mobile application developers, as well as organizations that use mhealth technologies, must determine whether their activities are governed by HIPAA, and if so, must determine if their organization is HIPAA-compliant. HIPAA and the entities it regulates The Health Insurance Portability and Accountability Act of 1996 (HIPAA) safeguards protected health information (PHI) from being used or disclosed without a patient s consent. In addition, HIPAA imposes technical, administrative, and physical safeguard requirements for storing and transmitting electronic PHI (ephi). As the landscape of healthcare changed, the HIPAA rules adapted to the growing amount of information healthcare organizations collected and managed. By 2013, now referred to as the HIPAA Omnibus Rule, the HIPAA requirements evolved and created privacy and security requirements for contractors and subcontractors of healthcare organizations. Companies such as health plans, healthcare clearinghouses, and most healthcare providers are considered covered entities (CEs) under HIPAA, and are therefore regulated by HIPAA. Most often, covered entities are the initial gatekeeper of PHI and are likely to control the main data warehouse where PHI is stored. Many covered entities have relationships and partnerships with other organizations,

4 commonly known as business associates, such as EHR vendors, law firms, and information technology companies. These organizations may utilize and/or store some aspects of PHI or all of the PHI data elements. Business associates may also sub-contract with other vendors and relay the same PHI housed by the covered entity and the business associate. If a covered entity delegates any privacy or security function or duty to a business associate, the business associate must perform in compliance with the HIPAA Privacy and Security Rule. In fact, business associates are subject to civil and, in some cases, criminal penalties for the inappropriate disclosure of PHI. Covered entities, business associates, and all other downstream entities who adopt mhealth technologies must be cognizant of the storage and transmission of PHI across all related entities, as well as other types of sensitive consumer-generated data. mhealth businesses: Covered entities or business associates? One of the initial challenges that the mhealth industry faces is deciphering whether they are regulated under HIPAA. An mhealth company may be appropriately classified as a business associate to a covered entity depending on the identity of the end user, the type of relationship between the entities, and what information is shared. In February 2016, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) provided much-awaited guidance to mobile application developers to answer OCR confirms that mobile app developers are not covered entities under HIPAA, although they may be considered a business associate if they work directly for a health plan, clearinghouse, or provider. the question of the applicability of HIPAA to their operations. In addition, OCR provided a crosswalk that maps the National Institute of Standards and Technology (NIST) to the HIPAA Security Rule. OCR also designed an interactive website to assist mobile app developers and healthcare organizations with submitting questions in order to determine whether the entity is required to follow HIPAA rules and regulations. The website also provides various examples explaining circumstances under which an app developer would be regulated by HIPAA. 2 In its guidance, OCR confirms that mobile app developers are not covered entities under HIPAA, although they may be considered a business associate if they work directly for a health plan, clearinghouse, or provider. Specifically, OCR stated that an mhealth application is a business associate if: (1) they contract with a healthcare provider or healthcare organization; (2) the device or software allows a patient to enter their PHI; and (3) the information transfers directly into the patient s EHR for purposes of care decision-making or planning. The OCR guidance suggests mobile app developers consider the following questions in order to determine if they are business associates: Are your clients covered entities or other business associates, such as hospitals, doctor s offices, clinics, pharmacies, or other healthcare providers? Do these covered entities or business associates transmit PHI to health insurance organizations or health and wellness program-related information to a health plan offered by an employer? Compliance Today August

5 Compliance Today August 2016 How will the covered entity or other business associates use the data? (e.g., an application that assists a physician with following up with patients and providing information about an office visit) Were you hired by, or are you paid for your service or product by, a covered entity? How is the data collected? Is it transferred directly to and collecting information for or on behalf of consumers, or on behalf of a provider, health plan, or healthcare clearinghouse? Conversely, according to the OCR guidance, a mobile health app that allows consumers to create, receive, maintain, or transmit information about themselves is not likely required to comply with HIPAA. In this scenario, the individual is the gatekeeper for his/her own information, and the individual has determined to transmit this health information to a third party. Here, the app developer does not have the requisite relationship with the covered entity or the business associate, as the consumer controls all the decisions regarding the transmission of PHI to the third party. Accordingly, wellness apps and other consumer-driven health-related apps not used by covered entities or business associates may not be subject to HIPAA rules and regulations. However, organizations should be aware that these companies might be subject to other regulatory bodies, such as the Federal Trade Commission (FTC) and the Food and Drug Administration (FDA). The FTC guidelines govern similar entities as HIPAA, including: Vendors of personal health records (PHRs) or EHRs, PHR-related entities (i.e., web and mobilebased apps for health information); and among healthcare apps tested, 86% of the 71 apps had at least two critical security vulnerabilities. Third-party service providers for a vendor of PHRs or a PHR-related entity. 3 Developers should also review the FDA standards for mobile applications, some of which are classified as medical devices. The FDA defines a mobile medical application as an app that is an accessory to a regulated medical device, or transforms a medical device into a regulated medical device. 4 These requirements for FDA mobile apps continue to evolve, and the FDA encourages mobile app developers to check these regulations periodically. Importance of HIPAA breach prevention in mhealth There is no doubt that mhealth provides many conveniences and the potential for health enhancements for its users. However, the shelf life of an app may be brief, because the market is saturated and newer/improved versions of these apps develop at a rapid pace. As a result, a healthcare organization may rush to bring new and improved apps to market and may be tempted to overlook critical security measures. Indeed, a 2016 study shows that, among healthcare apps tested, 86% of the 71 apps had at least two critical security vulnerabilities. In addition, 54% of the people they surveyed believed their mobile health apps would be hacked within the next six months. Within that group, 55% were health app users and 48% were health app execs. The study also reported the application layer (i.e., binary protection) is the most vulnerable to cybersecurity risks. 5,6 HIPAA breaches are often costly and may corrode a consumer s confidence with an app and/or the organization promoting the app. Under HIPAA, PHI security breaches require

6 notification of persons whose protected information may have been compromised and can result in penalties up to $50,000 per incident. Conclusion The best defense is to have the best offense. Cybersecurity is the foundation for protection of personal data in an mhealth application. Aside from the usability and benefits mobile healthcare apps provide, protecting and securing PHI are key to an app s success. The following represent a sample of steps an mhealth app developer should take into consideration to support the security of their application and protect PHI: Follow the technical, physical, and administrative specifications from organizations such as OCR, FTC, and FDA, and keep updated on any new developments from these regulatory bodies; Investigate whether data should be encrypted at every point of data lifecycle in the application (e.g., at rest and in transit); Consider any encryption requirements for and other electronic communication; Ensure the app comes equipped with a passcode requirement to access the application; Determine whether technical safeguards such as anti-tampering or anti-counterfeiting measures need to be included in the development of the app. Navigant Consulting is not a certified public accounting firm and does not provide audit, attest, or public accounting services. See navigant.com/licensing for a complete listing of private investigator licenses. 1. HIMSS Analytics: 3rd Annual HIMSS Analytics Mobile Survey, February 26, Available at: 2. U.S. Department of Health and Human Services, Office for Civil Rights: HIPAA Portal. Available at 3. Federal Trade Commission: Complying with the FTC s Health Breach Notification Rule. Available at: 4. Food and Drug Administration: Nonbinding Guidance on Mobile Medical Applications, February 9, Available at: 5. Arxan: 2016 State of Application Security: Top Health Care Apps in Critical Condition. Available at: 6. Arxan, 2016 State of Application Security: Infographic, Mobile Health Apps. Available at: Now Available! Compliance 101, Fourth Edition Authors Debbie Troklus and Sheryl Vacca have updated Compliance 101 with changes in federal regulations, including HIPAA, HITECH, and the Omnibus Rule as well as new insights on what it takes to build an effective compliance program. This book reviews the fundamentals in healthcare compliance, including the seven essential elements of a compliance program. It includes: Step-by-step instructions on setting up and maintaining a compliance program A chapter dedicated to HIPAA privacy and security regulations A glossary with compliance terms and definitions Sample compliance forms and policies This book is ideal for compliance professionals new to the field, compliance committee members, compliance liaisons, board members, and others who need a foundation in compliance principles. Compliance 101 FOURTH EDITION DEBBIE TROKLUS & SHERYL VACCA softcover available from HCCA: Compliance Today August

All Aboard the HIPAA Omnibus An Auditor s Perspective

All Aboard the HIPAA Omnibus An Auditor s Perspective Rick Dakin CEO & Chief Security Strategist February 20, 2013 1 Agenda Healthcare Security Regulations A Look Back What is the final Omnibus Rule? Changes